〈   Contracts and audit
Digital risk assessment and management, and integration into processes

Chapter 2.1

How to identify threats to your company

A. What is a risk?

A risk is the effect of uncertainty on an organisation’s objectives, activities and requirements. A risk is associated with the likelihood that a threat exploits human error, a process failure or a system vulnerability and thus causes harm to an organisation.

The term “risk” entails the following aspects:

  • the combination of the likelihood that this risk will materialise and the impact (whether positive or negative) it would have on the course of business;
  • the uncertainty is estimated or determined using probabilities.
  • The organisation’s “objectives” extend to strategic development (e.g. customer requirements, innovation, market position). “Activities” comprise operational activities (e.g. procurement, production, services and sales).
  • “Requirements” refer in particular to laws, standards and other internal or external regulatory requirements, covering e.g. the safety/security of people, goods/property and the environment.
  • Risk is a consequence of events or changes of circumstances.

A risk is an event or an action or, conversely, inaction that may result in:

  • failure to achieve an objective;
  • a decline in performance;
  • a loss of opportunity.

The notion of risk is inextricably linked to that of vulnerability. Vulnerability, i.e. the absence or inadequacy of measures intended to deal with the risk, increases the probability and, above all, the impact of the risk. Thus, the failure to provide automatic sprinkler systems to tackle a fire in IT facilities constitutes a vulnerability, as does the absence of a backup solution with emergency equipment for teams whose IT hardware may have been destroyed or corrupted.

If teams can no longer work as a result, the impact will be exacerbated and the consequences could be serious for the organisation in question: decreased turnover, financial loss, reputational damage, and so on.

B. How to identify and assess a risk

The perception of a risk is often subjective. It is crucial to view the risk identification and assessment stages as part of a collective approach, so as to be challenged and to bring in other opinions and perspectives on the threats. Getting several minds around the table, if possible from different layers and businesses within the relevant organisation, makes it possible to understand, identify and assess the indicated risk, the associated vulnerabilities and the potential resulting impact more effectively.

Similarly, risk tolerance (or risk appetite) depends not only on the person analysing the risk, but also on the context of this assessment, and on the understanding of the issues. For the risk and the accompanying issues to be assessed more effectively, it is vital to have the most comprehensive information possible.

C. The different types of risks

Risks can be divided into various types. Some risks may obviously cut across several categories.

  • Technological or digital risk: This is related to the use of the IT system or its disruption by internal or external causes.
  • Operational risk: This is related to any disruption to the company’s operations and activities. This has the potential for losses caused by people, systems, inadequate or failed internal processes or by external events.
  • Regulatory risk: This is related to non-compliance with a regulation or law and the penalties that may result from this.
  • Reputational risk: This is related to the organisation’s brand image and reputation vis-à-vis its partners (subcontractors, suppliers, customers, institutions and authorities) or the general public.
  • Financial risk: This is related to the company’s investments, profitability or cash flow.
  • Strategic risk: This is related to the general strategy of the company and its market positioning.

D. Distinguishing between macro and micro risk analyses

Risk analysis can be conducted with two different approaches: a more strategic or macro view, and a more operational or micro view. An appropriate risk analysis involves a dialogue where the two approaches challenge each other.

Macro analysis is about viewing risks from the perspective of management and strategic IT, which will be questioned by process and activity managers. It focuses on the major families of risks, without necessarily going into the details of these processes and activities. This is a large-scale view – one that is less time-consuming than micro analysis, but also less precise, especially in the process of identifying the controls and measures that aim to reduce the process- or activity-specific risks.

Micro analysis is about viewing risks from the perspective of process and activity managers and operational IT, which will be challenged by management. It focuses on processes and activities but will make risk aggregation more complex in order to give management an overall view. This analysis requires a detailed knowledge of the organisation, as well as many interviews with process and activity managers not only to gain a full understanding of all the issues, but also to identify potential vulnerabilities.

2023 © Trust Valley. All rights reserved.